https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
z

Zach Zeid

11/17/2022, 6:59 PM
does osquery have a way to gather was VSCode extensions are installed on a Mac?
g

Gavin

11/17/2022, 7:20 PM
You can write a custom extension to shell out to code and run the --list-extensions
Or use the 
file
table Something like this could be a starting point
Copy code
SELECT
f.filename,
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime,'unixepoch') AS file_last_access_time,
datetime(f.mtime,'unixepoch') AS file_last_modified_time,
datetime(f.ctime,'unixepoch') AS file_last_status_change_time,
datetime(f.btime,'unixepoch') AS file_created_time,
ROUND((f.size * 10e-7),4) AS size_megabytes
FROM file f
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN groups g ON f.gid = g.gid
WHERE ((f.directory like "/home/%%/.local/share/JetBrains/%/")
 OR (f.directory like "C:\users\%\AppData\%\JetBrains\%\Plugins\") 
 OR (f.directory like "/Users/%/Library/Application Support/JetBrains/%/plugins/")) 
 AND (
     (filename not like "%.xml") AND (filename not like "%.json") AND
     (filename not like "%.etag")
 );
z

Zach Zeid

11/17/2022, 8:09 PM
this helps thank you!
s

seph

11/17/2022, 10:09 PM
They’re stored in user homedirs. So you can dig through them, and parse the json. (Though there’s no native osquery json table)
5 Views
Powered by